Fortinet black logo

Cookbook

Configuring FSSO and SAML on the FortiAuthenticator

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:742061
Download PDF

Configuring FSSO and SAML on the FortiAuthenticator

  1. On the FortiAuthenticator, go to System > Dashboard > Status.

    In the System Information widget, select Change beside Device FQDN.

    Enter a domain name (in this example, fac.school.net). This helps identify where the FortiAuthenticator is located in the DNS hierarchy.

  2. Enter the same name for the Host Name. This allows you to add the unit to the FortiGate’s DNS list so that the local DNS lookup of this FQDN can be resolved.

  3. On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.

    Enter a Secret key and select OK to apply your changes. This Secret key is used on the FortiGate to add the FortiAuthenticator as the FSSO server.

  4. Go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated:
    • Portal URL: captive portal URL for the FortiGate and user.
    • Entity ID: used in the Centrify SAML IdP application setup.
    • ACS (login) URL: assertion POST URL used by the SAML IdP.

    Under SAML assertions, enable Text-based list and enter Memberof (this field is case-sensitive).

    Keep this window open as these URLs are needed to configure the IdP application and for testing.

    You cannot save these settings yet as the IdP information (IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint) still needs to be entered. These fields will be filled once the IdP application configuration is complete.

Configuring FSSO and SAML on the FortiAuthenticator

  1. On the FortiAuthenticator, go to System > Dashboard > Status.

    In the System Information widget, select Change beside Device FQDN.

    Enter a domain name (in this example, fac.school.net). This helps identify where the FortiAuthenticator is located in the DNS hierarchy.

  2. Enter the same name for the Host Name. This allows you to add the unit to the FortiGate’s DNS list so that the local DNS lookup of this FQDN can be resolved.

  3. On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.

    Enter a Secret key and select OK to apply your changes. This Secret key is used on the FortiGate to add the FortiAuthenticator as the FSSO server.

  4. Go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated:
    • Portal URL: captive portal URL for the FortiGate and user.
    • Entity ID: used in the Centrify SAML IdP application setup.
    • ACS (login) URL: assertion POST URL used by the SAML IdP.

    Under SAML assertions, enable Text-based list and enter Memberof (this field is case-sensitive).

    Keep this window open as these URLs are needed to configure the IdP application and for testing.

    You cannot save these settings yet as the IdP information (IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint) still needs to be entered. These fields will be filled once the IdP application configuration is complete.